A group of R1 jailbreakers found a massive security flaw in Rabbit's code
What could Rabbitude access with the ElevenLabs API key?
With the ElevenLabs API key, Rabbitude claims it could access every response ever given by Rabbit R1 devices, including those containing sensitive information1. Additionally, they could get a history of all past text-to-speech messages, change voices, add custom text replacements, delete voices, and potentially crash the rabbitOS backend, bricking all Rabbit R1 devices5.
How do the hardcoded API keys threaten security?
Hardcoded API keys pose a significant security risk as they can be easily exposed if the source code is leaked or shared2. Attackers can gain access to sensitive information, such as passwords or encryption keys, and potentially compromise the entire system. Proper secrets management and avoiding hardcoded secrets are crucial to mitigating these risks.
Which third-party services are affected by Rabbit's breach?
Rabbit's breach affected its accounts with third-party services like its text-to-speech provider ElevenLabs and the company's SendGrid account, which is used for sending emails from its rabbit1.tech domain.